top of page

Deconstructing Information Security Standards: NIST CSF

Cybersecurity Framework (CSF) is a set of information security guidelines (not a checklist) proposed by the National Institute of Standards and Technology (NIST), so the content is quite concise and to the point. The CSF document also provides a comparison table, allowing users to directly compare to ISO27001:2013 (a new version of ISO27001:2022 has been released), ISACA’s COBIT, and the key security controls ( Critical Security Controls), and NIST's own SP 800-53.




CSF has 5 major elements: Identify, Protect, Detect, Response, and Recover. The contents are summarized as follows:


Identify: Build organizational cognition and manage cybersecurity threats from systems, personnel, assets, data, resources, etc.

(1)Asset Management Purpose: To identify and manage all assets to align with objectives and risk strategies. Approach: Inventory all physical equipment, systems, software, and applications, including external information systems.

(2) Business Environment Purpose: To identify the current situation of the organization, and to formulate its own network security norms, responsibilities and decisions. Approach: Identify the organization's position within the supply chain, critical infrastructure, and industry to establish cybersecurity requirements and responsibilities for the work environment and third parties. (3) Governance Purpose: To identify policies, procedures, and processes to manage cybersecurity-related norms. Approach: Establish and communicate network security policies, and know and manage laws and regulations related to network security. (4) Risk Assessment Purpose: To identify different types of risks to respond to different tasks, assets and personnel needs. Approach: Identify and record various risks and asset vulnerabilities, and use the four dimensions of threat, vulnerability, possibility, and impact to assess risks. (5) Risk Assessment Strategy Purpose: To identify and apply processing priorities, constraints, and risk acceptance to support risk decision-making. Approach: Determine risk acceptability, taking industry and critical infrastructure risks into account. (6) Supply Chain Risk Management Purpose: To establish a process to identify, assess and manage supply chain risks. Approach: Assess, document, and prioritize the cyber supply chain risks posed by suppliers and third parties, and plan and test contingency and recovery plans with suppliers and third parties accordingly.

Protect: Construct and implement appropriate safeguards to ensure that critical services are delivered on schedule.

(1) Identity Management, Authentication and Access Control Purpose: To restrict and manage the authorization of users, programs and devices based on the assessment of the risk of unauthorized access. Approach: Manage the identity and authentication of authorized devices, users and programs; authenticate and limit their authority according to individual identities.

(2) Awareness and Training Purpose: To provide cybersecurity awareness education in the workplace, and train employees and partners to practice cybersecurity-related responsibilities. Approach: Train and inform all users of the requirements and responsibilities. (3) Data Security Purpose: To establish an information risk policy to protect the confidentiality, integrity and availability of information. Approach: Control all phases of asset processing (removal, transfer, elimination); development, testing, and production environments should be segregated. (4) Information Protection Processes and Procedures Purpose: To ensure and apply security policies, practices, and procedures to protect information systems and assets. Approach: Establish a configuration setting benchmark, implement, maintain and test the update and restore. (5) Maintenance Purpose: To ensure the security of industrial control and information systems. Approach: Implement and record asset maintenance and repair, and prevent unauthorized access during remote maintenance and operation. (6) Protective Technology Purpose: To apply technical security methods to protect systems and assets. Approach: Restrict and protect the use of removable media; implement Least Functionality (eg: provide only business-essential functions, and close unnecessary functions, ports, protocols, and services).

Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity incident.

(1) Anomalies and Events Purpose: To detect and understand the potential impact of abnormal activity. . Approach: Collect and correlate event data from multiple sources and sensors, and establish a node for event alerts. (2) Security Continuous Monitoring Purpose: Monitor information systems and assets to detect cybersecurity incidents and verify the effectiveness of protective measures. How it works: Detect malicious code and unauthorized mobile code, and perform monitoring to detect unauthorized people, connections, devices, and software. (3) Detection Process Purpose: To maintain and test detection processes and procedures to ensure that incidents are detected. Approach: Establish well-defined rules and responsibilities for detection and communicate incident detection information.

Response: Develop and implement appropriate activities to take action in response to detected cybersecurity incidents.

(1) Response planning Purpose: To implement and maintain response processes and procedures to ensure effective response to detected cybersecurity incidents. What to do: Execute the plan during or after a cybersecurity incident. (2) Communications Purpose: To coordinate closely with internal and external stakeholders. Approach: Reporting of incidents according to established criteria. (3) Analysis Purpose: To conduct analysis to ensure effective response and support disaster recovery. Approach: Investigate alerts from detection systems and identify and understand the impact of information security incidents. (4) Mitigation Purpose: To contain, resolve, and mitigate the impact of cybersecurity incidents. Approach: Limit and mitigate the impact of information security incidents and document newly discovered weaknesses. (5) Improvements Purpose: To improve contingency measures by incorporating lessons learned. Approach: Incorporate lessons learned into contingency planning and continuously update contingency strategies.

Recover: Develop and implement appropriate activities to maintain a recovery plan and restore capabilities or services that have been compromised by a cybersecurity incident.

(1) Recovery planning Purpose: To implement and maintain recovery procedures to ensure that affected systems and assets are rebuilt. What to do: Execute the plan during or after a cybersecurity incident. (2) Improvements Purpose: To learn lessons to improve future recovery plans and processes. Approach: Incorporate lessons learned into the plan and keep it updated. (3) Communications Purpose: To coordinate recovery actions with internal and external parties. Approach: Manage public relations and coordinate recovery actions with internal and external stakeholders and management.


Guidelines for organizing the establishment of CSF steps:
Step 1: Identify cybersecurity goals and priorities. (range and prioritization)
Step 2: Identify relevant systems and assets, compliance requirements and overall risk. (direction)
Step 3: Self-examine the current level of implementation. (Current situation review)
Step 4: Analyze the operating environment to determine the likelihood and impact of a cybersecurity incident. (risk assessment)
Step 5: Describe desired cybersecurity goals. (set goals)
Step 6: Compare the current level of implementation with the desired cybersecurity goals and analyze the gap. (Analysis of gaps)
Step 7: Adjust existing practices, or propose new ones, to correct these gaps. (Make an action plan)

Comments


bottom of page